A Honeypot or a honey trap is an exciting technology with great potential for security community. It is an information system resource (a monitored decoy) used to attract attackers away from critical resources as well as a tool to analyse an attacker’s method and characteristics. Actually, it is a trap set to detect attempts at unauthorized use of information system. The value of a Honeypot lies in unauthorized and illicit use of that resource. Neither any authorised activity runs on these resources nor do they have any production value. In short it has no legitimate activity. Unlike firewalls or Intrusion Detection Systems, Honeypot do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes.
A Honeypot can detect attacks by capturing polymorphic code, capturing a variety of attacks, working with encrypted data and acquiring signatures. It provides a large amount of valuable information for analysis. It is a valuable surveillance and early-warning tool, but it can carry risks to a network, and must be handled with care. It requires a high level of network administration and understanding of protocol and security. Two or more Honeypot on a network form a Honeynet. Generally a Honeynet is used for monitoring a large and/or diverse network in which one Honeypot may not be sufficient.
Modes of Honeypot
Research mode: In this mode the Honeypot characterizes attack environment by collecting data on attacker motivations, attack trends and emerging threats.
Production mode: The Honeypot is used to prevent, detect and respond to attacks. Prevention is accomplished through deterrence i.e. by impending scans initiated by attackers and diverting an attacker to interact with the Honeypot rather than critical files.
Types of Honeypot
Low-Interaction Honeypot: As the name suggests it has limited interaction and it provides a minimal emulation of an operating system running on the target computer. It is easy to deploy because of its limited operating system emulation and ease of maintainence. Generally it involves installing software, selecting the operating system and the services we want to emulate and monitor.
The simplicity of a Low-Interaction Honeypot is its main advantage, but it logs only limited information and is designed to capture known activity, which makes it easier to get detected by a skilled attacker.
High-Interaction Honeypot: This type of Honeypot provides much more realistic target for an attacker as it involves real operating systems and applications. It’s not emulation of operating system and services.
Its main advantages are that unlike Low-Interaction Honeypot the acquired information is much more detailed and it provides an open environment that captures all activities. However it is more vulnerable to compromise and possibly use it as a platform to launch an attack on the critical information system resource.
Value of Honeypot
Honeypot can help prevent attacks in several ways.
The first is against automated attacks, (such as worms) which are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system. One way that Honeypot can help defend against such attacks is slowing their scanning down. These solutions monitor unused IP space and are called sticky Honeypot. When probed by such scanning activity, these Honeypot interact and slows the attacker down. This is excellent for slowing down or preventing the spread of a worm that has penetrated our internal organization. Sticky Honeypot are most often low-interactive solutions.
Honeypot can also be protecting our organization from human attackers through deception. The Honeypot confuses an attacker, to make him waste his time and resources interacting with Honeypot and not with the original production system. Meanwhile, the detection of the attacker’s activity can be done and we have the time to respond and stop the attacker.
The second way Honeypot can help protect an organization is through detection. The purpose of detection is to identify a breakdown. Even if an organisation is super secure, a failure can always be there because no security system is 100% safe. By detecting an attacker, we can quickly react to them, stopping or mitigating the damage they do. Honeypot excel at detection, addressing many of the problems of traditional detection. Honeypot reduce false positives by capturing small data sets of high value, capture unknown attacks such as new exploits or polymorphic shell code, and work in encrypted and IPv6 environments. In general, low-interaction Honeypot make the best solutions for detection. They are easier to deploy and maintain, than high-interaction Honeypot and have reduced risk.
The third and final way a Honeypot can help protect an organization is in response. One of the greatest challenge organisations face today is how to response to an attack. There is often little information regarding the attacker(s), how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical. The main problem to attack response is that often the compromised system is a production system and is running essential services so it’s difficult to take it offline. Even if the system is taken offline, the logs and data entries are so much that it can be difficult to determine what normal day-to-day activity is, and what the attacker activity is.
Honeypots can help address both problems. Honeypots make an excellent incident response tool, as they can quickly and easily be taken offline for a full forensic analysis, without impacting day-to-day production operations. Also, the only activity a Honeypot captures is unauthorized or malicious activity (as already mentioned). This makes hacked Honeypots much easier to analyse than hacked production systems, as any data we retrieve from a Honeypot is most likely related to the attacker. The value Honeypots provide here is quickly giving organizations the in-depth information they need to respond to an attack effectively. Generally high-interaction Honeypots make the best solution for response.
Relevant data set: Honeypots collect small amount of data but almost all of this data is real attack or unauthorized activity.
Reduced false positive: With most detection technologies (IDS, IPS) a large percentage of alerts are false warnings, while with Honeypots this is not the case.
False negatives: It’s easy for Honeypots to detect and record attacks which were not seen before.
Cost effective: Honeypot only interacts with malicious activity and do not require high performance resource.
Simplicity: Honeypots are very simple to understand, deploy and maintain.
Limited view: Honeypots only see activities that interact with them and do not capture attack, directed against other existing systems.
Risk of being compromised: A Honeypot may be used as a platform to launch further attacks.
Because of these disadvantages, Honeypots do not replace any security mechanisms; they only work with and enhance your overall security
Risk with Honeypots
- Human intervention.
- It is expected for attackers to gain privileged control of the Honeypots.
- Step stone to harm other systems.
- Eliminate fingerprinting.
- Feed Honeypot false or bogus information.
- Chess problem!
Honeypots are good resource to track Hackers. The value of Honeypots is in being hacked.